Group Changes and Rare/Frequent Admins etc. not displayed

Group Changes and Rare/Frequent Admins etc. not displayed

I've setup SuperCharger for AD monitoring using SPLUNK accurately following the documentation & webinar, however I'm not the Group Changes and Rare/Frequent Admins etc. in the SPLUNK app for LOGBINDER. Following the forums I've also tried couple of this like:

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in %SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely. The definition field of the macro should not be empty.

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in %SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely. The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.Please find attached search results for the "admin/group"_combined macros.

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in %SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely. The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.Please find attached search results for the "admin/group"_combined macros.

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

>I've removed the macro file

please restart Splunk after removing that file, so that the change would take effect.

After the restart the "Advanced search >> Search macros" should look like this:

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in %SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely. The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.Please find attached search results for the "admin/group"_combined macros.

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

>I've removed the macro file

please restart Splunk after removing that file, so that the change would take effect.

After the restart the "Advanced search >> Search macros" should look like this:

After restarting SPLUNK, it now looks same as you screenshot under Advanced search >> Search macros with 44 items.However the dashboard panels still missing Admin& Group columns. Anything to be done at the collector? I've already restarted the collector.

[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is emptyThat is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these

( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. If I get it correctly, the 4754 event is now present in Group Changes table, but the "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?

Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in %SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely. The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.Please find attached search results for the "admin/group"_combined macros.

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

>I've removed the macro file

please restart Splunk after removing that file, so that the change would take effect.

After the restart the "Advanced search >> Search macros" should look like this:

After restarting SPLUNK, it now looks same as you screenshot under Advanced search >> Search macros with 44 items.However the dashboard panels still missing Admin& Group columns. Anything to be done at the collector? I've already restarted the collector.

Or alternatively could you send a screenshot of the the raw group creation event in Splunk, to see that everything needed is present in the event? Please paint over if the parts which are sensitive to share.